AD-A212  351 


NRL  Report  9179 


A  Matrix  Model  for  the  Linear 
Feedback  Shift  Register 

W.  P.  Wardlaw 

Identification  Systems  Branch 
Radar  Division 


DT1C 


July  6,  1989 


Approved  for  public  release,  distribution  unlimited 

39  9  14  054 


SECURITY  ClASSiF-CATiON  OF  THIS  PAGE 


la  REPORT  SECURITY  CLASSIFICATION 

UNCLASSIFIED 


2a  SECURlTY  CLASSlFiCAT-ON  AUTHORITY 


2b  DECLASSIFICATION  DOWNGRADING  SCHEDULE 


4  PERFORMING  ORGANIZATION  REPORT  NUMBER(S) 

NRL  Repon  9179 


REPORT  DOCUMENTATION  PAGE 


lb  RESTRICTIVE  MARKINGS 


Form  Approved 
OMB  No  0704  0188 


3  DISTRIBUTION /AVAILABILITY  OF  REPORT 

Approved  for  public  release;  distribution  unlimited. 


5  MONITORING  ORGANIZATION  REPORT  NUMBER(S) 


6a  NAME  OF  PE RcORMtNG  ORGANIZATION 

Naval  Research  Laboratory' 

6b  OFFICE  SYMBOL 
(If  applicable) 

Code  5350 

6c  ADDRESS  (City.  Sfafe.  and  ZIP  Code) 

Washington.  DC  20375-5000 

8a  NAME  OF  FUNDING  ••SPONSORING 

8b  OFFICE  SYMBOL 

ORGANIZATION 

(If  app!, cable) 

Naval  Air  Systems  Command 

APC-209 

8c  ADuRESS  (City,  State,  and  ZIP  Code) 

Washington.  DC  20361-5000 

7b  ADDRESS  (City,  State,  and  ZlPCode) 


10  SOURCE  OF  FUNDING  NUMBERS 


1 1  TITLE  (include  Security  Classification ) 

A  Matrix  Model  for  the  Linear  Feedback  Shift  Register 


PROGRAM 

PROJECT 

TASK 

ELEMENT  NO 

NO 

NO 

6421  IN 

W1253 

WORK  UNIT 
ACCESSION  NO 


12  PERSONAL  AUTHOR(S) 
Wardlaw,*  W.  P. 


13a  TYPE  OF  REPORT 
Final 


16  SUPPLEMENTARY  NOTATION 


13b  TIME  COVERED 

from  Jun  87  to  Aug  87 


14  DATE  OF  REPORT  (Year,  Month,  Day)  |15  PAGE  COUNT 

1989  Jul>  6  |  20 


^Affiliation:  Department  of  Mathematics,  U.S.  Naval  Academy.  Annapolis.  MD  21402 


COSATI  CODES 


FIELD  GROUP 


19  ABSTRACT  (Continue  on  reverse  if  necessary  and  identify  by  block  number) 


18  SUBJECT  TERMS  ( Continue  on  reverse  if  necessary  and  identify  by  block  number) 

Linear  feedback  shift  register  (LFSR) 

Secrecy  system 

Mams 

Random  bit  stream 

In  this  report,  a  matrix  model  is  used  to  discover  some  of  the  properties  of  the  linear  feedback  shift  register 
(LFSR)  and  to  consider  its  application  to  security  systems. 

First  the  hardware  and  operation  of  the  LFSR  is  briefly  discussed.  Then  a  representation  of  the  LFSR  as  a  finite 
state  device  is  used  to  obtain  the  matrix  model  for  the  LFSR.  The  matrix  model  is  employed  to  derive  a  number  of 
known  results  about  the  period  of  an  LFSR  as  well  as  some  new  results  concerning  subperiods  of  an  LFSR. 

Cryptographic  applications  are  suggested  by  the  randomness  properties  of  the  LFSR  bit  stream  output.  The  matrix 
model  provides  a  concise  treatment  of  the  cryptanalysis  of  the  simple  LFSR  system.  Some  suggestions  are  made  to 
improve  the  security  of  LFSR  secrecy  systems. 


20  DISTRIBUTION/ AVAILABILITY  OF  ABSTRACT  I  2 1  ABSTRACT  SECURITY  CLASSIFICATION 

UNCLASSIFIEO/UNLIMITED  Q  SAMF  AS  RPT  Q  OTIC  USERS  I  UNCLASSIFIED 


22a  NAME  OF  RESPONSIBLE  INDIVIDUAL  22b  TELEPHONE  (Include  Area  Code)  22c  OFFICE  SYMBOL 

Emanuel  Vegh  _ (202)  767-3481 _ Code  5350 _ 


DO  Form  1473,  JUN  86  Previous  editions  are  obsolete  SECURITY  CLASSIFICATION  OF  this  PAGE 


1 


CONTENTS 


INTRODUCTION  .  I 

DESCRIPTION  OF  THE  LFSR  .  1 

THE  FINITE  STATE  DEVICE  .  2 

THE  MATRIX  MODEL  .  7 

RANDOMNESS  PROPERTIES  .  14 

CRYPTANALYSIS  OF  THE  LFSR  .  15 

POSSIBILITIES  FOR  SECURE  SYSTEMS  .  15 

CONCLUSION  .  16 

ACKNOWLEDGMENTS  .  16 

REFERENCES  .  16 


I 


t 


Accesion  For 

NTIS  CRA&I 
DTIC  TAB 
Unannounced 
Justification 


By . . 

Distribution  f 

Availability  Codes 

Avail  and /or 
Special 


H 


A  MATRIX  MODEL  FOR  THE  LINEAR  FEEDBACK 
SHIFT  REGISTER 


INTRODUCTION 

A  linear  feedback  shift  register  (LFSR)  is  a  device  that  produces  a  long  period  pseudorandom  bit 
stream  (a  sequence  of  zeros  and  ones)  that  is  determined  completely  by  the  settings  on  a  relatively 
small  number  of  switches  and  a  relatively  short  initial  bit  stream.  The  length  of  the  period  of  the  out¬ 
put  is  exponentially  related  to  the  key  length,  i.e.,  the  number  of  switches  whose  settings  determine 
the  output.  This  suggests  the  possibility  of  using  the  output  of  an  LFSR  as  an  additive  to  a  plain  text 
bit  stream  to  produce  an  enciphered  bit  stream.  Indeed,  such  applications  of  LFSRs  have  been  and 
still  are  made. 

But  it  is  important  to  be  aware  of  some  dangers  involved  in  the  use  of  LFSRs  in  cryptographical 
applications.  A  simple  LFSR  system  is  vulnerable  to  cryptanalysis  based  on  the  possession  of  plain 
text  of  length  twice  that  of  the  key,  even  though  the  period  of  the  LFSR  is  much  longer.  This  cryp¬ 
tanalysis  is  discussed  later  in  this  report. 

Although  the  author  believes  Theorem  3  and  the  related  results  on  subperiods  of  LFSRs  to  be 
new,  much  of  the  material  in  this  report  is  discussed  at  length  in  the  literature,  notably  in  the  excel¬ 
lent  book  [1]  by  Solomon  W.  Golomb.  The  cryptanalysis  of  the  LFSR  is  discussed  in  Ref.  2  (pp. 
121-129),  and  a  basic  introduction  is  given  in  a  short  appendix  to  an  article  by  G.  J.  Simmons,  which 
is  reprinted  in  Ref.  3  (pp.  290-294).  However,  some  discussions  in  the  literature  are,  in  this  author’s 
opinion,  a  bit  hard  to  follow  or  are  flawed  by  some  basic  mathematical  errors.  The  motivation  for 
this  report  is  to  provide  a  correct,  coherent,  and  easily  understandable  treatment  of  LFSRs  based  on  a 
matrix  model.  The  matrix  model  is  chosen  because  it  fits  in  well  with  the  author’s  area  of  expertise 
and  because  this  approach  should  be  accessible  to  the  intended  audience  of  this  work. 

Following  this  introduction,  the  hardware  of  the  LFSR  is  briefly  discussed  and  its  operational 
performance  is  stipulated.  The  device  is  then  represented  as  a  finite  state  device.  The  latter  is  used 
to  introduce  the  matrix  model,  which  is  then  employed  to  investigate  the  periodicity  and  randomness 
properties  of  the  LFSR.  This  model  is  also  exploited  to  explore  th'*  cry  Analysis  of  a  simple  LFSR 
bit  stream  secrecy  system.  The  report  ends  with  two  naive  sugge  >‘on<  for  constructing  secure  sys¬ 
tems  based  on  LFSRs.  This  matter  warrants  further  study. 

DESCRIPTION  OF  THE  LFSR 

An  n-stage  linear  feedback  shift  register  (LFSR)  consists  of  a  sequence  of  n  binary  storage  de¬ 
vices  (flip-flops,  memory  locations,  registers,  etc.)  labeled  F1 ,  F2,  . . .  ,  Fn  in  Fig.  1.  Each  device 
stores  either  a  0  or  a  1 .  Initially,  the  value  a,  _  j  is  stored  in  device  Ft  for  i  =  1 ,  2,  . . .  ,  n.  At  each 
pulse  of  a  controlling  clock,  the  value  in  device  F,  +  t  is  shifted  to  device  F(  ,  1  <  /  <  n  -  1.  The 
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Fig.  1  —  Schematic  of  an  n-stage  LFSR 


new  value  in  Fn  is  determined  by  the  feedback,  which  is  the  sum  modulo  2  of  the  values  in  those  dev¬ 
ices  F,  for  which  the  switches  AT,  are  closed.  Thus,  the  new  value  an+k  placed  in  device  F„  at  the  Ath 
pulse  of  the  clock  is  given  by  the  nth  order  recursion 


n  - 1 

an+k  =  £  Cjak  +l  (addition  modulo  2),  (1) 

/=o 

where  each  c,  is  0  if  switch  Ki  +  l  is  open,  or  1  if  switch  Ki  +  i  is  closed.  The  values  of  the  constants 
c,  comprising  the  coefficient  vector  c  =  (c0,  c , ,  . . .  ,  c„  _()  make  up  an  n  bit  key,  and  the  entries  in 
the  initial  state  vector  a  =  5(0)  =  (a0  a  ( ,  . . .  ,  an-\)  make  up  an  n  bit  initial  condition,  which 
together  completely  determine  the  output  of  the  shift  register.  (The  two  vectors  c  and  a  together  can 
be  thought  of  as  a  2n  bit  key  for  the  particular  bit  stream  beginning  with  a.) 

Equation  (1)  completely  defines  the  LFSR  and  its  output,  the  infinite  sequence  or  bit  stream 
A  =  (a,)  =  (a0,  a  lt ... ).  This  equation  is  the  basis  of  the  remainder  of  this  report. 

THE  FINITE  STATE  DEVICE 

Instead  of  viewing  the  sequence  of  bits  put  out  by  the  LFSR,  it  is  useful  to  consider  the  state 
vectors  s  =  (s s2,  sn)  of  the  LFSR.  Here,  Sj  is  the  value  in  the  ith  binary  register  F,.  Then 
we  can  consider  the  transition  from  a  given  state  s  to  the  resulting  state  J'.  This  model  is  called  a 
finite  state  device  since  its  operation  is  completely  described  by  the  transitions  s  —  s '  among  the  fin¬ 
itely  many  state  vectors  s.  The  new  state  s '  =  (s{,  s2,  ■  •  ■  ,  Sn)  is  given  by  s-  =  jl  +  1  for 
1  <  i  <  n  and  s„  =  c  •  s  •  (The  latter  value  is  obtained  by  substituting  s,  for  a,  in  Eq.  (1).) 
Clearly,  there  are  2"  possible  states. 

Sometimes  it  is  convenient  to  represent  the  state  s  =  (s1(  s2,  . . .  ,  sn)  by  the  binary  notation 

n 

for  the  number  n(s)  —  £  5,2" For  example,  (1,  0,  1)  and  (0,  1,  1)  correspond  to  101  and  Oil, 

i  =  i 

respectively.  This  representation  is  used  in  the  following  examples.  The  notation  (t.y)  indicates 
equation  ( x )  specialized  to  Example  y,  as  in  Eq.  (1.1)  or  Fig.  1.2  below.  A  similar  convention  is 
used  to  number  the  figures  in  the  examples. 
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Example  1.  n  =  3,  c  =  (1,  0,  1). 


OUTPUT 


Fig.  1.1  —  Schematic  of  LFSR 


ak+3  ~  ak  +  (*k+  2 

Finite  State  Diagram 


Bit  stream:  1  0  0  1  1  1  0  .  1  0  0  l  1  1  0  .  1  0  0  1  1  1  0.  ... 


(ID 


Observe  how  the  binary  entries  of  successive  states  (in  boxes)  in  Example  1  shift  to  the  left, 
with  a  new  entry  c  ■  s  added  on  the  right.  (Other  authors  use  various  notations,  changing  the  shift 
direction  and  other  aspects  of  the  discussion.  The  interested  reader  should  thoroughly  learn  one  nota¬ 
tion;  then  it  will  be  easy  to  translate  it  to  any  other  notation.) 
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Example  3.  n  =  3,  c  =  (0,  1,  1). 


OUTPUT 


Fig.  1.3  —  Schematic  of  LSFR 


Finite  State  Diagram 


Possible  bit  streams:  1.0.0...  ,  0.011.011...  ,  1.110.110...  ,0.101.101...  ,011.011...  . 


Example  3  is  a  degenerate  three-stage  shift  register;  it  is  essentially  the  two-stage  LFSR  of 
Example  4,  except  that  the  bit  stream  can  begin  differently  before  becoming  periodic. 
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Example  4.  n  =  2,  c  =  (1,  1). 


OUTPUT 


dk  +2  =  ak  +  ak  +1 


(1.4) 


Finite  State  Diagram 


Bitstream:  101.101.101...  . 


Note  that  the  bit  streams  in  Examples  3  and  4  are  the  same  except  at  the  beginning,  and  the 
nontrivial  bit  streams  have  period  3.  An  LFSR  is  degenerate  whenever  there  is  no  feedback  from  the 
bit  register  F\,  or,  equivalently,  whenever  the  constant  c0  =  0  in  Eq.  (1). 

In  all  of  these  examples,  the  bit  stream  is  periodic.  The  period  turned  out  to  be  the  number  of 
states  in  a  cyclic  chain  of  states.  The  state  vector  of  an  n-stage  LFSR  is  an  n-tuple  of  zeros  and  ones, 
so  there  are  2n  possible  states.  Since  the  zero  state  0  =  (0,  0,  .  .  .  ,  0)  leads  only  to  itself,  it  is  not 
taken  as  an  initial  state  to  produce  a  bit  stream.  Thus  the  period  cannot  exceed  2”  —  1,  the  number 
of  nonzero  state  vectors.  A  period  of  p  =  2n  —  1  will  be  called  maximum.  The  next  section  gives 
greater  insight  on  the  length  of  the  period  of  an  LFSR. 


6 


NRL  RETORT  9179 


THE  MATRIX  MODEL 

The  transition  of  the  n-stage  L  FSR  from  the  state  s  =  (s  j , 
s'  =  <jf | ,  .  .  .  ,  s,|)  is  given  by  the  n  linear  equations 


f  C  /  —  C  ■ 
J  l  3 1 


+  1 


if  1  <  i  <  n. 


Sn  C0  5  I  T...  +  C„  _  j  S„ . 


.  ,  s„)  to  its  successor  state 


(2) 


In  matrix  form. 


where  M  =  (m.,)  is  the  n  X  n  matrix  with 


mij  =  i 


s  '  =  sM , 


1  if  i=y  +  l, 
c,_i  if  j  =  n , 

0  otherwise. 


(3) 


(4) 


That  is. 


M  = 


0  0 
l  0 
0  1 

0  0 


0  c0 

0  ci 

0  c2 

1  C/j  - 1 


If  c o  =  0,  the  matrix  M  is  singular  and  uM  =  0 M  =  0  for  u  =  (1,  0,  ....  0).  Thus 
s'  —  IM  =  (s  +  u)M ,  and  every  successor  state  s’  has  two  (or  more)  precedents,  s  and  J  +  u.  This 
is  the  degenerate  case  in  which  the  LFSR  is  essentially  an  ( n  -  l)-stage  register.  (This  situation  was 
encountered  in  Example  3.  The  three-stage  LFSR  of  Example  3  is  essentially  the  same  as  the  two- 
stage  LFSR  of  Example  4.) 

Henceforth,  we  will  usually  assume  that  c0  =  1  and  M  is  nonsingular.  Thus,  the  mapping  of  s 
to  ? '  =  sM  is  a  permutation  of  the  2n  state  vectors.  The  zero  vector  is  sent  to  itself  and  therefore  ini¬ 
tializes  a  bit  stream  consisting  entirely  of  zeros. 

There  are  only  finitely  many  n  x  n  matrices  over  the  two-element  field  GF( 2)  =  Z2  =  {0.  lj 
of  integers  modulo  2.  Hence,  there  are  integers  5  and  t  such  that  0  <  s  <  t  and  Ms  —  M' .  Since 
M  is  invertible,  this  means  that  Mh  =  I  is  the  identity  matrix  for  h  =  t  —  s.  Let  p  be  the  smallest 
positive  integer  such  that  Mp  =  /;  p  is  called  the  period  of  M  and  of  the  corresponding  LFSR. 

Now  the  matrix  M  defined  by  Eq.  (4)  is  a  companion  matrix  M  =  C(m)  of  the  polynomial 

m(x)  =  xn  -  cn-]Xn~l  -  ...  -  cxx  -  c0,  (5) 
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as  described  in  Ref.  4.  (p.  190).  The  characteristic  and  minimum  polynomial  of  M  is  m(x).  (See 
Ref.  4,  p.  190.  Corollary  1  to  Theorem  2).  We  call  m(x)  the  characteristic  polynomial  of  the  LFSR 
corresponding  to  M.  It  follows  from  the  definition  of  the  minimum  polynomial  that  m(M)  =  0,  and 
that  f(M)  =  0  for  the  polynomial  f(x)  if  and  only  if  m(x)  divides  f(x).  In  particular,  Mk  —  I  =  0  if 
and  only  if  m(x)  divides  xk  -  1.  These  remarks  prove 

Theorem  1.  Let  M  be  a  nonsingular  matrix  over  a  finite  field  K  with  minimum  polynomial 
mix'.  Then  the  period  p  of  M  is  the  smallest  positive  integer  such  that  m(x)  divides  xr  -  1. 

The  exponent  of  a  polynomial  fix)  over  a  field  K  is  defined  to  be  the  smallest  positive  integer  k 
such  that  fix)  divides  xk  -  1,  or  0,  if  no  such  k  exists.  Theorem  1  shows  that  the  period  of  a  non- 
sineular  matrix  over  a  finite  field  K  is  the  same  as  the  exponent  of  its  minimum  polynomial.  The  fact 
that  an\  such  matrix  has  a  positive  period  establishes  the  fact  that  if  f(x)  is  a  monic  polynomial  over  a 
finite  field  K  and  /( 0)  s*  0,  then  / has  a  positive  exponent. 

We  are  interested  in  the  period  of  the  bit  stream  oq.  Q  i.  ^ i<  •  •  of  an  LFSR,  that  is,  the  smal¬ 
lest  positive  integer  q  such  that  a k  +(?  =  a k  for  all  positive  integers  k.  Of  course,  this  depends  on  the 
choice  of  the  initial  vector  a  -  ( a0 .  ....  an  _j).  Define 

a(k)  =  ( ak ,  ak  +  i . ak  +n_i).  (6) 

Then 

a(k)  =  aKk  -  \)M  =  aMk ,  O) 

where  a  =  5(0)  is  the  initial  vector  and  k  is  any  positive  integer.  Thus  the  bit  stream  A  -  (ak)  has 
period  q  if  and  only  if  q  is  the  smallest  positive  integer  such  that  aMq  =  a.  Of  course,  this  does  not 
require  that  Mq  =  /,  but  merely  that  Mq  -  I  be  singular.  It  has  already  been  observed  that 
q  <  2n  -  1;  since  there  are  only  2"  -  1  nonzero  n- tuples  of  zeros  and  ones,  there  must  be  a  dupli¬ 
cation  among  the  vectors  aMk  for  k  =  0,  1,  2 . 2"  —  1 . 

The  zero  bit  stream  has  period  1 .  If  a  nonzero  bit  stream  has  period  q.  then  q  is  called  a  sub¬ 
period  of  »he  LFSR.  In  Examples  1  and  2,  q  =  23  -  1  =  7  is  the  only  subperiod,  which  is  also  the 

period  p  of  these  LFSRs. 

The  matrices  are 

0  0  ll  To  0  f 

M  =  100  and  M  =  10  1,  respectively. 

011  [0  1  0 

In  each  case,  p  =  7  =  min  j/t  €  N  :  Mk  =  / j.  This  is  more  easily  seen  from  the  minimum  polyno¬ 
mials  m(x )  =  x3  +  x2  +  1  and  m(x)  —  x3  +  x  +  1,  respectively.  In  each  case,  m(x)  divides 

x1  -  1  =  (x  -  l)(x3  +  x  +  l)(x3  +  x2  4-  1),  but  m(x)  does  not  divide  xk  -  1  for  k  <  7. 

In  Example  4,  q  =  22  -  1  =  3  is  the  only  subperiod,  and  the  period  is  p  =3.  In  all  three  of 

these  cases,  the  period  p  =  2"  —  1  is  maximum,  and  every  subperiod  is  equal  to  p. 
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The  following  three  examples  illustrate  other  possibilities  for  the  period  and  subperiods  of  an 
LFSR  In  these  examples,  the  state  diagrams  are  abbreviated  by  omitting  the  arrows  between  state 
sectors  and  listing  the  vectors  'f  the  form  aMk  in  a  column  under  a. 


"o 

0  f 

C  =  (1,  o,  0), 

M 

1 

0  0 

0 

1  0 

States:  000 

111 

001 

Oil 

010 

110 

100 

101 

tn(x)  =  x-  +  1  =  x:  —  1  =  (x  —  1)(jc“  +  x  +  1). 


0  0  1 

c  =  (1,  1,  1),  M  = 

10  1 

[°  1  1 

States:  000  1 1 1 

010 

001 

Period:  4 

101 

Oil 

110 

Subperiods: 

100 

m(x )  -  ;c3  T 

■  x2  +  X 

+  1 

=  (x  —  l)3. 

Example  7.  n  =  4,  c  =  (l,  l,  1,  1),  M  — 


0  0  0  1 
10  0  1 
0  10  1 
0  0  11 


States: 


0000  0001 

0010 

0111 

Period:  5 

0011 

0101 

111 

0110 

1010 

1110 

Subperiods: 

1100 

0100 

1101 

1000 

1001 

1011 

mix)  =  xA 

+  *3 

+  x2  +  x 

+  1. 

Observe  that  in  every  example  given,  the  period  p  of  the  LFSR  is  also  the  largest  subperiod. 
This  is  always  the  case. 


9 


W  P  WARDLAW 


Theorem  2.  Let  p  be  the  period  of  the  nondegenerate  n-stage  LFSR  with  matrix  M.  Then  the 
bit  sequence  with  initial  vector  5  =  (1,  0,  ....  0)  has  period  p,  n  <  />  <  '>n  and  every  subperiod  q 
divides  p.  Moreover,  if  p  is  maximum  (p  =2"  -  1),  then  p  is  the  only  subperiod  of  the  LFSR. 

Proof :  Let  r  be  the  period  of  the  bit  stream  with  initial  vector  a.  Then  s  is  the  smallest  posi¬ 
tive  integer  such  that  aMs  =  5 ,  and  d{k)Ms  =  dMs+k  =  aMk  =  a(k)  for  every  positive  integer  k. 
Thus  M'  acts  as  the  identity  on  the  vectors  5(1),  5(2),  . .  .  ,  d(n).  But 

5(1)  =  TiM  =  (0,  0 . 0,  1)  =  (a ,  a2,  ■■■,  an)  and  5(k)  =  ( ak ,  ak  +  l . <?*+„_  j)  begins 

with  n  -  k  zeros  followed  by  an  =  1  in  position  n  —  k  +  1,  so  the  set  [5(1),  5(2),  . .  .  ,  5(n)| 
forms  a  basis  of  the  vector  space  Kn  of  all  n-tuples  with  entries  in  K  =  GF{ 2).  Since  Ms  act.-  as  the 
identity  on  a  basis,  it  must  be  the  identity.  Hence,  s  is  the  smallest  positive  integer  such  that  M'  =  /; 
that  is,  s  =  p  is  the  period  of  M. 

Now  ,  p  is  a  subperiod  of  M ,  so  (as  already  shown)  p  <  2"  —  1.  Since  dip  +  1)  =  a(l),  and 

[5(1),  5(2) . 5(n)|  is  independent,  it  follows  that  n  <  p.  (The  latter  is  also  a  corollary  of 

Theorem  1,  since  m(x)  divides  xp  -  l  and  m(x)  has  degree  n.) 

Suppose  that  q  is  a  subperiod  of  M.  Thus,  for  some  nonzero  vector  v,  q  is  the  smallest  positive 
integer  such  that  v  =  vMq  Let  p  =  dq  +  r  with  0  <  r  <  q.  Then  Mp  =  /,  so 

v  =  \MP  =  \'Mctq  =  v(Mq)dMr  =  vMr .  The  minimality  of  q  implies  that  r  =  0,  so  q  divides  p. 

Finally,  suppose  the  period  p  of  M  is  maximum.  That  is,  p  =  2n  -  1.  Then  the  2n  —  1  vec¬ 
tors  a(k)  =  aMk  for  0  <  k  <  2"  -  2  include  all  the  nonzero  vectors  in  Kn ,  and  each  of  these  vec¬ 
tors  has  period  p.  Clearly,  then,  the  only  subperiod  is  q  =  p  =2"  -  l.D 

The  reader  may  have  noticed  from  the  examples  that  M  has  subperiod  1  if  and  only  if  IM  =  1 

for  1  =  (1,  1 . 1).  This  is  the  case  exactly  when  the  coefficient  vector  c  has  an  odd  number  of 

ones,  and  the  latter  is  equivalent  to  m(  1)  =  0.  Thus  1  is  a  subperiod  if  and  only  if  x  -  1  divides 
mix).  This  can  be  generalized  as  follows. 

Theorem  3.  Let  w(x)  be  the  characteristic  polynomial  of  an  LFSR.  Then  for  any  positive 
integer  q,  the  LFSR  has  a  subperiod  q  if  and  only  if  gcd(m(x),  xq  -  1)  is  not  1  and  does  not  divide 
xk  -  1  for  any  k  <  q. 

Before  proving  Theorem  3,  we  apply  it  to  Examples  1  to  6  previously  stated.  Recall  that  if 
c  =  (c0,  c, ,  .  .  .  ,  cn  _i),  then  m(x)  =  xn  +  cn_1xn_1  +  . .  .  +  c,x  +  c0. 

Example  1.  m(x)  =  x3  +  x2  +  1  is  irreducible  and  divides  x1  —  1  =  (x  -  1)  (x3  + 

x  +  l)(x3  +  x2  +  1),  so  the  LFSR  has  period  7.  Since  gcd(m(x),  xk  -  1)  =  1  for  k  <  7,  7  is  the 

only  subperiod,  as  we  already  knew  from  Theorem  2. 

Example  2.  m(x)  =  x3  +  x  +  1  has  period  and  only  subperiod  7,  exactly  as  in  Example  1. 

Example  3,  m(x )  =  x3  +  x2  +  x  =  x(x2  +  x  +  1).  (m( 0)  =  0,  so  the  matrix  M  is  singular 

and  the  LFSR  is  degenerate.)  Since  gcd(m(x),  x3  -  1)  =  x2  +  x  T  1  divides  neither  x  —  1  nor 
x2  -  1,  the  LFSR  has  sub;  •  id  3.  Moreover,  gcd(m (x),  x*  —  1)  =  1  unless  3  divides  k ,  so  3  is 
the  only  subperiod.  Sine’  .  ;s  singular,  no  power  of  M  is  equal  to  I.  However,  Af  3+*  =  Mk  for 
every  k  >  1,  so  we  say  n  *  *.  and  the  LFSR  have  period  3. 
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Example  4.  m(x)  -  x2  +  x  +  1.  Since  gcd(m(x),  x2  -  1)  =  m(x)  divides  neither  x  -  1 
nor  x2  -  1,  3  is  a  subperiod.  Since  gcd(mfx),  xk  —  1)  =  1  unless  3  divides  k,  in  which  case 
gcd(m(x),  xih  -  1)  =  m(x).  3  is  only  subperiod.  It  follows  that  3  is  also  the  period.  (The  latter 
is  also  clear  because  m  (jc)  divides  x3  —  1.) 

Example  5.  m(x)  =  x2  —  1  =  (x  -  l)(x2  +  x  +  1).  Since  gcd(m(x ),  x  —  1)  =  x  —  1,  the 
LFSR  has  a  subperiod  1.  Since  m(x)  =  or3  —  1,  the  LFSR  has  a  subperiod  and  period  3. 

Example  6.  m{x)  =  .t3  +  x2  +  jc  +  1  =  (jc  -  l)3  Since  gcd(m(; c),  xk  -  1)  =  xk  -  1  for 
k  =  1,2,  and  gcd(m(x)  x4  -  1)  =  m( x),  the  LFSR  has  subperiods  1,  2,  and  4,  and  has  period  4, 
since  m  (.r)  divides  .r 4  -  I. 

The  proof  of  Theorem  3  is  facilitated  by  the  following  lemmas. 

Lemma  A.  Let  A  be  a  square  matrix  with  minimum  polynomial  m(x),  and  let  p(x)  be  any 
polynomial.  Then  p(A)  is  nonsingular  if  and  only  if  gcd(m(x ),  p(x))  =  1. 

Proof:  Let  d{x)  =  gcd(m(x),  p(x))  =  f(x)m(x)  +  g(x)p(x).  If  d(x)  =  1,  then 

I  =  d(A)  =  f{A)m(A)  +  g{A)p{A)  =  g(A)p(A),  since  m(A)  =  0.  Hence  p(A)  has  inverse  g(/l),  so 
p(A)  is  nonsingular.  On  the  other  hand,  if  d(x)  has  degree  >  1,  write  m(x)  =  mo(x)d(x)  and 
p (x )  =  p0(x)d(x).  Since  m0(x)  has  lower  degree  than  m(x),  m0(A)  *  0,  but 

p(A)m0(A)  =  p0(A)m(A)  =  0.  Hence,  p(A)  is  singular. □ 

Lemma  B.  (Primary  Decomposition  Theorem)  Let  T  be  a  linear  operator  on  the  finite  dimen¬ 
sional  vector  space  V  over  the  field  K.  Let 


be  the  factorization  of  the  minimum  polynomial  m  of  T  into  powers  of  distinct  irreducible  monic  poly¬ 
nomials  p,  over  K. 

Let  V,  be  the  null  space  of  Pi(T)e' ,  i  =  1.  2, . . .  ,  r.  Then 

(a)  V  =  Vx  ®  V2  ©  . . .  ©  Vr, 

(b)  each  Vt  is  invariant  under  7,  and 

(c)  if  Tj  is  the  restriction  of  T  to  K(,  then  the  minimum  polynomial  for  Tt  is  p\' . 

The  proof  of  this  result  is  given  in  Ref.  4  (Theorem  12,  pp.  180-181). 


Lemma  C.  Let  T  be  a  linear  operator  on  the  finite  dimensional  vector  space  V  over  the  field  K 
with  minimum  polynomial  m,  and  let  p  be  any  polynomial  over  K.  If  Tw  is  the  restriction  of  T  to  the 
null  space  W  of  p{T),  then  the  minimum  polynomial  of  Tw  is  mw  =  gcd(m ,  p). 

Proof:  Since  p(Tw)  —  0,  it  follows  that  mw  divides  p.  Moreover,  mw  divides  m,  since 
m(Tw)  ~  0.  Hence,  mw  divides  d  =  gcd(m,  p). 
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Let  d  =  pi'  .  .  . pl‘  be  a  factorization  of  d  into  distinct  monic  polynomials p,  that  are  irreducible 
over  K.  Then 

P  =  Pop\'  ■■■Pk  and  m  =  m0p\'  .  .  ,p*\ 

where  p0  and  m0  are  polynomials  such  that  gcd(p0,  m)  =  gcd(m0,  p)  =  1.  For  each 

i  =  1,2 . A-  there  is  a  vector  v,  in  K,  (see  Lemma  B)  such  that  v,  pt(T)e‘  =  0  *  v,  p,(7Y  -1, 

since  p\  is  the  minimum  polynomial  of  T  restricted  to  Vt.  Now,  at  =  min  (bit  e,),  so  for  each 
i  =  1,  2,  .  .  .  ,  A,  there  is  a  vector  vv,  in  K,  such  that  vv,p,(7')a'  =  0  ^  WjpfTf'  (Simply  let 
u-  =  vlp,(T)e'  ~a' ,  where  v,  is  the  vector  found  above.)  Thus,  vv,  is  in  W.  Now  mw  =  p\' 

.  .  .  plf  with  c,  <  a,,  since  it  divides  d  =  pV  ■  ■  ■  Pk‘-  But  c;  <  aj  implies  Wjmw(T)  = 
w.Pj ( T {  (m»/p)  )(T)  0,  since  wjPj{T)c'  is  a  nonzero  vector  in  and  ( mw/pc/)(T)  acts  nonsingu- 
larly  on  V ..  Therefore,  each  c,  =  at  and  mw  =  d  as  claimed. □ 

Lemma  D.  Suppose  v  has  period  q  with  respect  to  the  matrix  A  and  vAk  =  v  for  some  A  >  q. 
Then  q  divides  A. 

Proof:  By  definition,  q  is  the  smallest  positive  integer  such  that  vAq  =  v.  Let  A  =  qd  +  r 
with  0  <  r  <  q.  Then  v  =  vAk  =  vAqd+r  =  v(Aq)dAr  =  vAr  implies  r  =  0  by  the  minimality  of 
q.  Therefore,  q  divides  A.D 

We  are  now  ready  to  prove  Theorem  3.  We  apply  the  lemmas  to  the  matrix  M  of  the  LFSR. 
Lemmas  B  and  C  will  be  applied  to  the  matrix  M  interpreted  as  a  linear  transformation  on  the  vector 
space  Kn  of  all  n-tuples  of  elements  in  the  field  K  =  GF( 2)  =  Z2  of  integers  modulo  2. 

Proof  of  Theorem  3:  Consider  an  LFSR  with  matrix  M  and  characteristic  polynomial  m.  Let  q 
be  a  positive  integer  and  let  W  be  the  null  space  of  Mq  —  I.  By  Lemma  C,  d  —  gcd(m ,  xq  -  1)  is 

the  minimum  polynomial  of  the  restriction  Mw  of  M  to  W.  If  d  divides  xk  -  1  for  A  <  q ,  then 

Mkw  ~  /  =  0  and  \Mk  -  v  whenever  vMq  =  v  (i.e. ,  whenever  v  is  in  HO,  so  q  is  not  a  subperiod  of 
M.  Hence,  if  q  is  a  subperiod  of  M,  then  d  does  not  divide  xk  -  1  for  any  A  <  q.  Also,  if  q  is  a 
subperiod,  Mq  —  /  is  singular,  so  d  =  gcd(m,  xq  —  1)  =£  1  by  Lemma  A. 

On  the  other  hand,  suppose  d  =£  1  and  does  not  divide  *k  -  1  for  any  k  <  q.  Let 
d  =  pa\  . .  ■  par' ,  where  each  pt  is  a  monic  irreducible  polynomial  over  K,  and  let 
W  =  W ,  ©  . .  .  ©  Wr  be  the  primary  decomposition  of  W,  as  in  Lemma  B.  For  each  i  =  1 ,  . .  .  ,  r, 
let  w,  in  IV,  satisfy  w,p,(Mf  =  0  w,p,(M)a'  1 ,  and  let  iv  =  iv(  +  .  . .  +  wr.  Now  wMq  =  w, 

since  vv  is  in  W.  Suppose,  if  possible,  that  vv  has  period  A  <  q.  Then  A  divides  q  by  Lemma  D  and 

xk  -  1  divides  xq  -  1,  so  gcd(m(x),  xk  -  1)  =  p\'  ...  pb/  with  bt  <  a,  for  1  <  i  <  r.  Since  d 
does  not  divide  xk  -  1,  there  is  a  j  such  that  bj  <  ay.  But  then  vv(M*  -  I)Ej  =  wj(Mk  -  I)  *  0 
(Ej  is  the  projection  of  W  onto  Wj,  and  it  commutes  with  M)  since  WjPj(M)  1  ^  0.  This  contradicts 
vv  having  period  A.  Therefore  vv  has  period  q,  and  q  is  a  subperiod  of  M.  This  completes  the  proof 
of  Theorem  3 .  □ 

As  we  have  seen,  the  characteristic  polynomial  m(x)  of  an  LFSR  is  sufficient  to  determine  all 
the  periods  of  the  LFSR.  It  is  usually  desirable  to  make  the  subperiods  as  large  as  possible.  That  is, 
we  want  the  period  p  of  the  LFSR  to  be  the  only  subperiod.  The  next  corollary  shows  how  to  accom¬ 
plish  this  goal. 

Corollary  4.  Let  m(x)  be  the  characteristic  polynomial  of  an  LFSR  with  period  p.  If  m(x)  is 
irreducible,  or,  if  p  is  prime  and  m(l)  *  0,  then  p  is  the  only  subperiod  of  the  LFSR. 
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Proof.  By  Theorem  l,  p  is  the  smallest  positive  integer  such  that  m( x)  divides  xp  -  1.  If  m(x ) 
is  irreducible,  it  follows  that  gcd(m(x),  xk  —  1)  =  1  for  any  k  <  p,  and  hence  Theorem  3  shows 
that  p  is  the  only  subperiod.  If  p  is  prime  and  q  is  a  subperiod,  q  divides  p  by  Theorem  2,  so  q  =  1 
and  gcd{m{x ),  .r  —  1)  ^  1,  again  by  Theorem  3,  But  the  latter  implies  x  -  1  divides  mix)  and 
m{  1)  =  0,  contradicting  the  hypothesis.  □ 

The  following  example  shows  that  the  converse  of  Corollary  4  is  false. 

Example  8.  mix)  =  (xA  +  x  +  1)  (xA  +  x2  +  1)  divides  15  —  1  =  (x  -  l)(x2  +  x  +  1) 
(.t4  -  x  +  1)  Or4  +  +  1)  (;t4  +  Jt3  +  Jt2  +  x  +  1),  but  gcd(mix),  xk  -  1)  =  1  for  k  <  15, 

so  mu)  has  period  and  subperiod  15,  but  no  other  subperiods. 

It  has  already  been  observed  that  an  n-stage  LFSR  can  have  period  at  most  2"  -  1.  Now  we 
investigate  how  to  obtain  such  maximum  period  LFSRs. 

Lemma  5.  If  /(. x)  =£  x  is  an  irreducible  polynomial  over  GF(2)  of  degree  n ,  then  f(x)  divides 

.r 2'  ~ 1  -  1. 

Proof:  The  algebraic  extension  L  of  K  =  GF( 2)  corresponding  to  f(x)  is  of  degree  n,  so  L  has 
2”  elements  and  is  the  splitting  field  of  the  polynomial  xr  -  x  =  x(.r2'  1  -  1).  Hence,  fix) 
divides  .r2  -1  -  1.  (See  Ref.  5,  p.  39  Lemma  3.2  and  p.  169  Theorem  I6.3.)D 

Corollary  6.  If  m(x)  has  maximum  exponent,  then  m  (x)  is  irreducible. 

Proof:  As  usual,  assume  m(jt)  has  degree  n.  If  m(x)  is  reducible,  it  has  an  irreducible  factor 
fix)  of  positive  degree  r  <  n.  Hence,  fix)  divides  x2  ~l  -  1,  so  gcd(m,  xk  -  1)  1  for  some 
k  <  2r  -  1  <  2"  -  1,  and  there  is  a  subperiod  q  <  2"  -  1,  by  Theorem  3.  Thus,  Theorem  2 
shows  that  m( x)  does  not  have  maximum  exponent. □ 

Now  we  see  that  the  maximum  period  p  =  2”  —  1  can  only  be  achieved  when  m(x)  is  irreduci¬ 
ble,  and  in  this  case,  p  is  also  the  only  subperiod.  The  latter  is  of  importance,  since  it  guarantees  a 
period  of  maximum  length  2"  -  1  will  be  achieved  for  any  choice  of  a  nonzero  vector  d  =  5(0). 
One  problem  remains— the  irreducibility  of  mix)  does  not  guarantee  it  has  maximum  exponent. 
Indeed,  the  fourth  degree  polynomial  m(x)  —  x4  +  x3  +  x2  +  x  +  1  given  in  Example  7  is  irredu¬ 
cible,  but  it  has  exponent  5  rather  than  24  —  1  =  15.  The  problem  is  certainly  not  insurmountable. 

Golomb’s  book  in  Ref.  1  (p.  40)  shows  that  there  are 

X(n)  =  <f>{ 2n  -  1  )/n  (8) 

polynomials  of  degree  n  that  have  maximum  exponent;  (0  is  the  Euler  totient  function;  <t>{k)  is  the 
number  of  positive  integers  less  than  k,  which  are  relatively  prime  to  k).  Golomb’s  tables  (pp.  62-65 
and  97-107)  list  some  of  these  polynomials  of  maximum  exponent. 

However,  one  can  also  guarantee  that  m(x)  has  maximum  exponent  as  follows. 

Corollary  7.  If  2”  -  1  is  prime,  then  each  irreducible  polynomial  m(x )  of  degree  n  has  max¬ 
imum  exponent. 

Proof:  Let  r  =  2"  -  1.  m(jt)  divides  xr  -  1,  by  Lemma  5,  so  the  companion  matrix  M  of 
mix)  satisfies  Mr  =  I.  Hence,  M  has  period  p  with  n  <  p  <  r  (by  Theorem  2),  and  p  divides  r  by 

a  standard  group  theoretical  argument  (or  by  Lemma  D,  using  v  =  (1,  0,  . . .  ,  0)  =  5  as  vector  of 
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period  p  given  by  Theorem  2).  Since  r  =  2"  -  1  is  prime,  n  >  1.  Thus  p  >  1  and  p  divides  the 
prime  r,  so  p  —  r  =  2"  -  1 .  □ 

Primes  of  the  form  2n  -  1  are  called  Mcrscnne  prime;.  Guiom'u  has  a  table  in  Ref.  1  (Table 
III- 1 .  p.  37)  that  shows  the  first  23  Mersenne  primes  2"  -  1  obtained  by  taking  /i  =  2,  3,  5,  7,  13, 
17,  19,  31.  61,  89,  107,  127.  521,  607,  1279,  2203,  2281,  3217,  4253,  4423,  9689,  9941,  and 
11213.  Thus,  if  m(x)  is  an  irreducible  polynomial  of  degree  n  for  any  of  these  values,  m(x)  has 
maximum  exponent  p  —  2"  —  1 . 

RANDOMNESS  PROPERTIES 

A  bit  stream  arising  from  an  n-stage  LFSR  with  maximum  period  p  =  2"  -  1  satisfies  the  fol¬ 
lowing  "randomness'’  properties: 

Rl.  The  sequence  a(k)  for  0  <  k  <  2"  -  2  contains  exactly  2n~]  ones  and  2n_l  -  1  zeros. 

R2.  In  every  period  of  the  bit  stream,  if  0  <  k  <  n  —  1,  there  are  twice  as  many  runs  of  k 
zeros  as  there  are  of  k  +  1  zeros,  and  the  number  of  runs  of  k  ones  is  the  same  as  the  number  of 
runs  of  k  zeros. 


R3.  The  autocorrelation  function  C{t)  has  two  values.  Explicitly, 

p  ,  ,  fp  if  t  -  0, 

PC(t)  =  =  J  if  0<r<p 


(9) 


All  of  these  properties  arise  from  the  fact  that  the  p  =  2n  -  1  vectors  a{k)  with  1  <  k  <  p 
contain  each  nonzero  n-tuple  of  0’s  and  l’s  exactly  once.  For  example,  the  five-stage  LFSR  with 
m(x)  =  x5  +  jc2  +  1  has  maximum  period  31  =  25  -  1.  One  period  of  its  bit  stream  is 

0000100101  1001  I  1  1  10001  1011  10101.  (10) 

It  has  15  zeros  and  16  ones,  thus  it  satisfies  Rl.  The  runs  of  zeros  and  ones  are  counted  below.  ( A 
run  of  L  ones  is  a  zero  followed  by  exactly  L  ones  and  another  zero.)  The  symbols  N0(L)  and 
N i(L),  respectively,  denote  the  number  of  runs  of  zeros  and  ones,  of  length  L. 


L  N0(L)  N,(L) 

1  4  4 

2  2  2 

3  1  1 

4  1  0 

5  0  1 


Thus,  the  bit  stream  (10)  satisfies  property  R2.  Property  R3  also  holds  for  this  bit  stream.  Equation 
(9)  clearly  holds  for  t  =  0.  The  reader  can  check  Eq.  (9)  for  0  <  t  <  p  =  31  by  writing  the  bi* 
stream  (10)  horizontally  and  then  rewriting  it  underneath  shifted  t  places  to  the  left  and  wrapped 
around  to  the  end.  When  t  =  5,  one  obtains 

0000100101  1001  1  1  1  10001  101  1  10101 
00101  1001  1  1  1  10001  101  1  1010100001 
+  +++  +  +4-  +  +  +  +  +  +  +  + 
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(The  +  ’s  indicate  vertical  matches.)  For  each  t  there  will  be  15  vertical  matches  between  the  two 
sequences. 

S.  Golomb  proves  in  Ref.  1  (pp.  43-45)  that  maximum  period  LFSR  bit  streams  satisfy  the  ran¬ 
domness  properties  R1  through  R3.  In  the  interest  of  brevity,  we  forego  the  presentation  of  his 
proofs  here. 

CRYPTANALYSIS  OF  THE  LFSR 

The  long  length  2n  -  1  of  the  period  of  the  bit  stream  compared  to  the  relatively  short  length 
2 n  of  the  key.  as  well  as  the  random  nature  of  the  bit  stream,  suggest  that  the  LFSR  bit  stream  be 
used  as  an  additive  to  plaintext  to  produce  scrambled  text.  However,  note  that  the  linear  relationship 
between  the  key  and  the  bit  stream  output  makes  the  LFSR  vulnerable  to  the  following  cryptanalysis. 

Suppose  the  antagonist  can  obtain  2 n  bits  of  ciphertext  v,  for  1  <  i  <  2n  and  corresponding 

plaintext  x,  for  1  <  i  <  2 n.  Since  y,  =  x,  +  ai  (addition  in  GF( 2)  =  Z2),  the  corresponding  bit 

stream  a,  =  y,  +  x,  (1  <  i  <2 n)  can  be  recovered  by  using  addition  modulo  2.  Thus  the  vectors 

a(k)  =  (a/c,  ak  + 1 ,  .  .  .  ,  ak  +„  _,) 

(Eq.  (6))  can  be  constructed  for  1  <  k  <  n  +  1.  Thence  the  n  x  n  matrices  A  and  B,  whose  fcth 
rows  are  a(k)  and  a{k  4-  1),  respectively,  can  be  constructed.  Recall  from  Eq.  (7)  that 

a{k)M  =  a(k  +  1),  (11) 

where  M  is  the  matrix  of  the  LFSR.  Thus,  AM  =  B  and 

M  =  A  ~XB  (12) 

can  be  obtained  by  inverting  the  nonsingular  matrix  A.  (The  nonsingularity  of  A  follows  from  the 
independence  of  [5(1), . ..,«(«)),  as  shown  in  the  proof  of  Theorem  2.)  Then  the  matrix  M  can  be 
used  to  produce  the  entire  bit  stream  by  Eq.  (11),  thus  completing  the  cryptanalysis. 

The  above  analysis  seems  to  presume  that  the  cryptanalyst  had  prior  knowledge  of  the  number  n 
of  stages  of  the  LFSR.  However,  this  need  not  be  the  case.  The  cryptanalyst  can  determine  n  as  the 
number  of  “lengthened”  vectors  a'(k)  =  (ak,  ak  +  l, . . .  ,  ak+s)  s  >  n  -  1  in  a  maximal  indepen¬ 
dent  set  [ a'(k)  :  k  =  1,  2,  . . .  ,  n).  All  the  cryptanalyst  needs  is  2 n  or  more  consecutive  bits  of  the 
LFSR  bit  stream. 

POSSIBILITIES  FOR  SECURE  SYSTEMS 

In  this  section  we  discuss  some  possible  ways  to  overcome  the  vulnerability  of  LFSRs  to  cryp¬ 
tanalysis.  The  comments  here  are  only  naive  suggestions  to  consider.  The  security  of  a  secrecy  sys¬ 
tem  can  only  be  validated  by  the  failure  of  the  concerted  efforts  of  a  team  of  expert  cryptanalysts. 

One  suggestion  is  to  use  two  (or  more)  LFSRs  of  periods  p  and  q  and  add  their  bit  streams. 
The  resulting  bitstream  would  have  period  equal  to  the  least  common  multiple  of  p  and  q,  or  to  the 
product  pq,  if  p  and  q  were  chosen  with  no  common  factors.  Thus  one  would  want  an  m- stage  and 
an  n-stage  LFSR  with  m  and  n  relatively  prime,  having  necessarily  relatively  prime  maximum  periods 
p  =  2m  -  1  and  q  =  2"  -  1,  respectively.  The  resulting  period  of  the  bit  stream  would  be  pq. 
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This  is  the  same  order  of  magnitude  as  the  maximum  period  2m+"  -  1  of  a  single  ( n  +  m)-stage 
LFSR  using  the  "same  nardware,"  i.e.,  n  +  m  registers.  Further  study  is  needed  to  determine  if  the 
adding  of  the  two  bit  streams  would  destroy  the  linearity  that  caused  the  weakness  in  the  single 
LFSR. 

Variations  of  the  above  scheme  could  also  be  used.  For  example,  the  output  of  one  LFSR  could 
be  added  to  the  feedbick  instead  of  to  the  output  of  the  other  LFSR.  Clearly,  more  investigation  is 
needed  in  these  matters. 

CONCLUSION 

The  matrix  model  of  the  LFSR  provides  a  powerful  tool  for  analyzing  the  behavior  of  the 
LFSR.  For  cryptographic  applications,  one  makes  the  period  q  of  the  bitstream  long  in  comparison  to 
the  key  length  2  n.  This  is  best  achieved  by  choosing  n  so  that  2"  —  1  is  a  Mersenne  prime  and 
choosing  the  characteristic  polynomial  m(x)  of  the  LFSR  to  be  irreducible.  The  result  is  an  LFSR 
that  has  the  period  of  every  nonzero  bitstream  equal  to  the  maximal  period  p  =  2"  —  1  of  the  LFSR. 

Even  when  optimized  as  described  above,  it  can  be  dangerous  to  depend  on  the  security  pro¬ 
vided  by  simple  LFSR  systems.  The  matrix  model  provides  a  straightforward  method  of  cryp¬ 
tanalysis.  However,  secure  secrecy  systems  can  probably  be  designed  by  using  LFSRs  in  more 
sophisticated  ways. 

ACKNOWLEDGMENTS 

The  author  acknowledges  the  many  helpful  conversations  with  Walton  Bishop,  Anthony 
Gaglione,  Allen  Miller,  Bruce  Richter,  and  Emanuel  Vegh,  all  of  which  contributed  to  the  writing  of 
this  report.  The  references  suggested  by  Dr.  Vegh  were  especially  helpful,  as  were  the  exchanges 
with  Prof.  Richter  on  some  of  the  matrix  results.  The  author  is  grateful  for  the  support  he  received 
during  the  summer  at  the  Naval  Research  Laboratory;  without  that  support  he  would  not  have  accom¬ 
plished  this  work. 

REFERENCES 

1.  S.W.  Golomb,  Shift  Register  Sequences,  Revised  Edition  (Aegean  Park  Press,  Laguna  Hills, 
CA,  1982.) 

2.  C.H.  Meyer  and  S.  M.  Maty  as,  Cryptology:  A  New  Dimension  in  Computer  Data  Security 
(Wiley,  New  York,  1982). 

3.  G.J.  Simmons,  ed..  Secure  Communications  and  Asymmetric  Cryptosystems,  AAAS  Selected 
Symposium  69  (Westview  Press,  Boulder,  CO,  1982). 

4.  K.  Hoffman  and  R.  Kunze,  Linear  Algebra  (Prentice-Hall,  Englewood  Cliffs,  NJ,  1961). 

5.  I.  Stuart,  Galois  Theory  (Chapman  and  Hill,  New  York,  1973). 


16 


